豆子今天无聊在github上看看有什么有意思的PowerShell脚本,无意中发现了PowerSploit这个项目,仔细看了看,这个模块是针对***测试写的,里面有大量相关的***脚本,随便找了一个试试看。


比如说这个,可以用来记录键盘的输入内容,完整的脚本我就不贴出来了。

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-Keystrokes.ps1


具体实现的功能先不去考虑,我很好奇他是怎么在后台执行的。可以看见脚本末尾这个作者使用的是runspace,他创建了一个runspace,然后传入脚本块和对应的参数,然后触发;


# Setup KeyLogger's runspace
    $PowerShell = [PowerShell]::Create()
    [void]$PowerShell.AddScript($Script)
    [void]$PowerShell.AddArgument($LogPath)
    if ($PSBoundParameters.Timeout) { [void]$PowerShell.AddArgument($Timeout) }
    # Start KeyLogger
    [void]$PowerShell.BeginInvoke()


这种方式看起来很眼熟啊,豆子之前学习多线程的时候,就是使用runspace来替代后台的job,因为runspace的性能效率要高的多;

http://beanxyz.blog.51cto.com/5570417/1760880


事实上,我看了一下 这个***脚本之前也是使用的job,最新的版本改成了runspace,可见知识是相通的~


执行试试看

Get-Keystrokes -LogPath C:\temp\key.log


然后随便输入一下命令,查看一下对应的日志文件是否有记录 ,果然成功记录了

PS C:\Windows\System32\WindowsPowerShell\v1.0> gc C:\temp\key.log
"TypedKey","WindowTitle","Time"
"l","Administrator: Windows PowerShell ISE","9/06/2016 10:59:48 AM"
"s","Administrator: Windows PowerShell ISE","9/06/2016 10:59:48 AM"
"","Administrator: Windows PowerShell ISE","9/06/2016 10:59:48 AM"
"g","Administrator: Windows PowerShell ISE","9/06/2016 10:59:50 AM"
"c","Administrator: Windows PowerShell ISE","9/06/2016 10:59:50 AM"
"< >","Administrator: Windows PowerShell ISE","9/06/2016 10:59:50 AM"
"c","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM"
"","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM"
":","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM"
"\","Administrator: Windows PowerShell ISE","9/06/2016 10:59:51 AM"
"t","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM"
"e","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM"
"m","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM"
"p","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM"
"\","Administrator: Windows PowerShell ISE","9/06/2016 10:59:52 AM"
"k","Administrator: Windows PowerShell ISE","9/06/2016 10:59:53 AM"
"e","Administrator: Windows PowerShell ISE","9/06/2016 10:59:53 AM"
"y","Administrator: Windows PowerShell ISE","9/06/2016 10:59:53 AM"
"","Administrator: Windows PowerShell ISE","9/06/2016 10:59:54 AM"
"","Administrator: Windows PowerShell ISE","9/06/2016 10:59:54 AM"


如果我不管他,我所有的键盘操作都会被记录下来,那怎么停止这个监听?


查看一下runspace,我估计第二个最新的runspace应该是我刚刚创建的

PS C:\Windows\System32\WindowsPowerShell\v1.0> Get-Runspace
 Id Name            ComputerName    Type          State         Availability   
 -- ----            ------------    ----          -----         ------------   
  1 Runspace1       localhost       Local         Opened        Busy           
  2 Runspace2       localhost       Local         Opened        Busy


查看一下有啥属性和方法,发现可以close掉他

PS C:\Windows\System32\WindowsPowerShell\v1.0> Get-Runspace 2 | gm
   TypeName: System.Management.Automation.Runspaces.LocalRunspace
Name                         MemberType Definition                                                                                                                                                                                  
----                         ---------- ----------                                                                                                                                                                                  
AvailabilityChanged          Event      System.EventHandler`1[System.Management.Automation.Runspaces.RunspaceAvailabilityEventArgs] AvailabilityChanged(System.Object, System.Management.Automation.Runspaces.RunspaceAvailabilit...
StateChanged                 Event      System.EventHandler`1[System.Management.Automation.Runspaces.RunspaceStateEventArgs] StateChanged(System.Object, System.Management.Automation.Runspaces.RunspaceStateEventArgs)             
ClearBaseTransaction         Method     void ClearBaseTransaction()                                                                                                                                                                 
Close                        Method     void Close()                                                                                                                                                                                
CloseAsync                   Method     void CloseAsync()                                                                                                                                                                           
Connect                      Method     void Connect()


执行试试

PS C:\Windows\System32\WindowsPowerShell\v1.0> (Get-Runspace 2).close()


成功停止这个runspace,后面没有继续写入了。


现在我根据同样的方法,自己写了一个类似的小程序试试。我打算写一个后台程序,每隔30秒就弹出一个对话框,告诉我注意休息~


$scriptblock={
while($true){
$MessageboxTitle = “Health Reminder”
$Messageboxbody = “Please have a break, my lord”
$MessageIcon = [System.Windows.MessageBoxImage]::Information
$ButtonType = [System.Windows.MessageBoxButton]::OK
[System.Windows.MessageBox]::Show($Messageboxbody,$MessageboxTitle,$ButtonType,$messageicon)
Start-Sleep -Seconds 30
}
}
$job=[powershell]::create()
$job.addscript($scriptblock)
$job.begininvoke()



从Powershell ***脚本学到的如何执行后台runspace~_第1张图片


经测试,每隔30秒就会跳出这个对话框,成功!j_0003.gif